Hello,
We have a HTTP Security Header issue is detected by Security scan for go-live about
- HTTP Header Information Disclosure
- Missing 'Expect-CT' Header
- Missing 'X-Frame-Options' Header
- Missing 'X-XSS-Protection' Header
- Missing Content Security Policy
Could you please suggest how to config to solve this problem?
Thank you for your help.
Best Regards,
Patikorn
If you are on-premises you can remove/add headers yourself, refer to those articles:Remove Unwanted HTTP Response HeadersHow to Implement Security HTTP Headers to Prevent Vulnerabilities
If you are on cloud, you will have to open a support ticket to OS.
Some of the headers, i.e. CSP, can be enabled from LifeTime security settings.
Hi Paticorn,
On the Self-managed (on-premise) environment, one should be able to manage most of them.
Apart of them checkout how to use/configure the Content Security Policy, against code injection attacks in applications, irrespective of the environment and infrastructure. CSP is configured using directives that are sent to browsers in HTTP headers. Learn about it at Apply Content Security Policy
Additionally, in terms of Information Disclosure and other vulnerabilities, checkout the OutSystems' stand at Vulnerabilities page.
Regards,
Swatantra
Also, have a look at this post Removing IIS Response Header
Hi Swatantra,
What if the check box for Enable Content Security is disable? How to enable it?
Thank you!